Side-Channel Attacks on Threshold Implementations using a Glitch Algebra

Transcription

1 Side-Channel Attacks on Threshold Implementations using a Glitch Algebra Serge Vaudenay EPFL CH-1015 Lausanne, Switzerland Abstract. Threshold implementations allow to implement circuits using secret sharing in a way to thwart side-channel attacks based on probing or power analysis. It was proven they resist to attacks based on glitches as well. In this report, we show the limitations of these results. Concretely, this approach proves security against attacks which use the average power consumption of an isolated circuit. But there is no security provided against attacks using a non-linear function of the power traces (such as the mean of squares or the majority of a threshold function), and there is no security provided for cascades of circuits, even with the power mean. We take as an example the threshold implementation of the AND function by Nikova, Rechberger, and Rijmen with 3 and 4 shares. We further consider a proposal for higher-order by Bilgin et al. 1 Introduction Since the late 1990 s, many side-channel attacks based on either power analysis or probing have been presented. We consider essentially two types of attacks. In Differential power attacks (DPA), the adversary collects many samples of the sum of the power used by all gates of the circuit with noise. In Probing attacks, the adversary gets a few intermediate values of the computation by probing the circuit. All measures are subject to noise and can be modeled []. Duc et al. have shown that these two attacks are essentially equivalent [4]. One devastating type of attack is based on glitches. It takes into account that electric signals are not necessarily a classical 0/1 signal but a real function over a clock period which is non constant. For instance, the signal can be intermediate between 0 and 1, or switching several times between 0 and 1 during the clock period, or a signal with a very short switching peak, etc. The CMOS technology uses very little power. Signals switching in between clock periods use power. Essentially, only signal switches use power. So, a glitch induces an abnormal power consumption which is visible during a clock period [5]. To avoid these attacks, masking is a common method. Essentially, instead of running the computations based on inputs x and y to obtain a result z, we first use a secret sharing for x and y to split it into n random shares (x 1,..., x n ) and (y 1,..., y n ) and run the computation on the shares to obtain a sharing (z 1,..., z n ) of z. Usually, the secret sharing is the simple (n, n)-scheme in which

2 x = x 1 x n, y = y 1 y n, and z = z 1 z n. Trichina, Korkishko, and Lee [11] proposed an implementation of an AND gate with n =. In [7], Nikova, Rechberger, and Rijmen proposed the threshold implementation which transforms a gate (such as an AND gate) into a circuit which resists to probing attacks with a single probe or DPA based on the average of the power consumption. One construction uses n = 3 and another one with n = 4 has the property that output shares are always balanced. In [1], Bilgin et al. extend this method to higher orders, to make circuits resisting to probes or DPA based on a nd order moment of the power consumption. They propose an implementation of an AND gate with n = 5 but this implementation requires internal flip/flop registers, thus induce latencies, just to have a secure AND circuit. These constructions were recently consolidated in [9]. Our results. As the glitch propagation model highly depends on concrete implementations, in this paper, we consider several models for accounting glitches obtained by the XOR of two glitched signals. We do not advertise any model to be better but rather show how little influence the model has on the security results. In a first model, the double-glitch simply counts as twice a normal glitch. In this model, the mean power for the construction with n = does not leak. In a second model, the double-glitch counts as a normal one. In a third model, the two glitches cancel each other and do not count. In the two latter models, the construction with n = leaks from the mean power. In the mentioned constructions using n >, we show that two probes leak, that some non-linear function of the power (such as the mean of squares or the majority of a threshold function) leak, and that by composing two circuits implementing two AND gates, one probe leaks. Finally we show that in the three models, the AND construction using n = 5 (the one resisting nd order attacks) does not resist to an attack with two probes when we do not add internal flip/flop registers. The security claims coming with these implementations from the literature are of the form if [conditions] then we have security. We do not contradict any of these results. In this paper, we complement them by showing that when the conditions are not met, we clearly have insecurity. So, these conditions are not only sufficient: they are also necessary. The Theory.1 The Glitch Algebra Algebra is the part of mathematics in which letters and other general symbols are used to represent numbers and quantities in formulae and equations. Herein, we propose to represent glitches as well and to do operations on glitches. In what follows we use the following conventions: a signal is a function from a clock cycle [0, τ] to R; we consider real numbers as constant signals, we consider bits as real numbers in {0, 1}; + and denote the addition and multiplication of reals;,, and denote the XOR, OR, and AND of signals.

3 A signal represents a bit. To avoid confusion, from now on we denote with regular letters a signal and we denote with a bar the bit it is supposed to represent. We say that a signal x has no glitch if it is constant and equal to the bit x it represents. The functions,, and are defined by the gates implementing these functions. We only know that they match what we know about bits: a b = a+b mod, a b = max(a, b), and a b = ab when a and b have no glitch. Furthermore, we define a function glitch giving the number of glitches in a signal and a function power giving the power consumption of a gate. We assume that glitch(x) = 0 if x has no glitch. The function glitch applies to a signal but the function power applies to a gate. Concretely, a gate g = op(a, b) with output signal c corresponds to power(g) = glitch(c)p op where p op is a constant. So, power(g) = 0 if op(a, b) has no glitch. Actually, this is an approximation. Essentially, it is assumed that a stable signal uses very little power while a glitch induces a high power consumption, like in the CMOS technology [5]. The assumption on the influence of glitches on the power consumption may be a bit arbitrary. In the sequel, we take for granted that when y has no glitch, then x y has the same glitch as x. When y has no glitch and ȳ = 0, we assume that x y has no glitch either (due to the AND with 0). When y has no glitch and ȳ = 1, we assume that x y has the same glitch as x. So, { glitch(x y) = 0 if glitch(y) = 0 and ȳ = 0 glitch(x) if glitch(y) = 0 and ȳ = 1 glitch(x y) = glitch(x) if glitch(y) = 0 We further define Σpower as the sum of power(g) for all gates g in a circuit. It is not quite clear how to define glitch(x y) for two glitched signals x and y in general. Even for glitch(x y), we may take one of the following assumptions: glitch(x y) = glitch(x) + glitch(y) (1) glitch(x y) = max(glitch(x), glitch(y)) () glitch(x y) = glitch(x) glitch(y) (3) These assumptions are quite reasonable in theory. (1) accounts for glitches which cumulate, for instance because they occur at different time in a clock period. () assumes that a glitch can be hidden by another one. (3) comes from saying that two perfectly identical glitches should cancel each other in a XOR. However, reality is more complex and probably a mixture of these three models: glitch(x y) = F (glitch(x), glitch(y)) for some symmetric function F. For simplicity, we will study these simple assumptions. We will see that nearly all assumptions give the same results. Each defines some kind of glitch algebra on which we can do computations. In this report, we consider two types of side-channel attacks based on glitches. Power analysis: the adversary can see Σpower with noise. Probing attack: for a gate g, the adversary can get glitch(g) with some noise. Duc et al. have shown that these two attacks are equivalent [4]. 3

4 . Side-Channel Attack with Noise In side-channel attack, we measure a quantity S in a discrete domain D but the measurement comes with noise so we obtain Z = S + noise. We assume that S follows a distribution Pb S depending on a secret bit b. We want to make a guess X for b. An algorithm taking some random input and giving X as output is a distinguisher. The Type I error is α = Pr[X = 1 b = 0]. The Type II error is β = Pr[X = 0 b = 1]. The error probability is P e = Pr[X b] = α Pr[b = 0] + β Pr[b = 1] so depends on the distribution of b. The advantage of the distinguisher is Adv = Pr[X = 1 b = 0] Pr[X = 1 b = 1] = α + β 1. If Pb Z denotes the obtained distribution for Z. We know that the largest advantage using one single sample Z is Adv = d(p0 Z, P1 Z ) defined by the statistical distance between P0 Z and P1 Z. d(p0 Z, P1 Z ) = 1 Pr[Z = z b = 0] Pr[Z = z b = 1] z Theorem 1 (Precision amplification). Given an elementary distinguisher computing X from Z, with Type I error probability α 1 and Type II error probability β 1, for any N we can construct a distinguisher such that from i.i.d. samples Z 1,..., Z N we compute X with error probability P e e N( 1 min(α,β)) (4) Taking N = ( 1 min(α, β)), we obtain P e e 13%. Proof. We use the elementary distinguisher to compute the X 1,..., X N corresponding to Z 1,..., Z N. Then, we compute X = majority(x 1,..., X N ). Using the Chernoff bound (Lemma below), we obtain a new distinguisher with errors α N and β N such that α N e N( 1 α) and β N e N( 1 β). So, the error probability P e = α N Pr[b = 0] + β N Pr[b = 1] obtained by taking the majority vote decreases exponentially fast with N. As min(α, β) α, β 1, we obtain the result. Lemma (Chernoff [3]). Let X 1, X,..., X N be N independent boolean variables such that that E(X i ) = p for all i. We define X = majority(x 1,..., X N ). For all p < 1, we have Pr[X 0] e N( 1 p) For all p > 1, we have Pr[X 1] e N( 1 p) In what follows, we assume that the noise is Gaussian, centered, independent from S, and that the ratio of the standard deviation of the noise and of S is a given value σ. So, noise has a variance of σ V (S). Hence, ( ) Pr[noise x] = 1 erfc x σ V (S) 4

5 Threshold distinguisher. We consider the distinguisher computing X = 1 Z τ. In the Gaussian noise model, the Type I error is α = Pr[X = 1 b = 0] = s Pr[S = s b = 0] Pr[noise τ s] by symmetry of the noise distribution, the Type II error is β = Pr[X = 0 b = 1] = s Pr[S = s b = 1] Pr[noise s τ] By adjusting τ so that α = β = P e, we obtain that N = ( 1 P e) is enough to reach P e 13%. Case study for S = 1 b and b uniform. If S = 1 b and b is uniform, we have V (S) = 1 4. We adjust τ = 1 and obtain α = β = 1 erfc ( ) 0.5 σ. We obtain from Th. 1 that N = ( 1 1 erfc ( )) 0.5. σ For instance, with σ = 1, we have P e 16% and N = 17. With σ =, we have P e 31% and N = 55. We obtain that N σ + 4πσ using erfc(t) = 1 t π + o(t) for t 0. So, we see that N = O(σ ) is enough to guess b with error limited to a constant. This is a quite favorable attack as we can measure b directly. Attack for n = 1. As an example, given an AND gate z = x y (with no threshold protection, or equivalently n = 1), assuming that y is stable equal to some secret ȳ and that glitch(x) = 1, we have glitch(z) = ȳ. So, an attack measuring S = glitch(z) deduces ȳ trivially. We are in the case where S = glitch(z) = ȳ is binary and balanced. So, the above equation governs the complexity N of recovering ȳ using no threshold implementation and noise characterized by σ. Pushing to higher order measures. We can wonder what happens if, for some reasons, S does not leak but S leaks. Then, we should look at Z instead of Z. But Z = S + noise with noise = Snoise + noise. By neglecting the quadratic noise, we have V (noise ) 4V (S)V (noise) = 4σ V (S). Assuming V (S ) V (S), we can see that the effect of moving from S to S is only in doubling the value of σ. As we will see, a motivation of threshold cryptography is to prevent leaks at a lower order S to make the adversary look at higher order. This actually penalizes a bit the adversary. 3 Implementation with n = Trichina et al. [11] proposed an implementation of the AND gate to compute z = x y by using n = : 1. (secret sharing for x) pick a U Z and compute x = a x;. (secret sharing for y) pick b U Z and compute ỹ = b y; 3. (secret sharing for z) pick c U Z ; 4. compute z = (((c (a b)) (a ỹ)) (b x)) ( x ỹ) 5

6 by respecting the order of the parentheses; 5. the output ( z, c) shares z = c z. In [7], Nikova, Rechberger, and Rijmen observe that if the input signal x has a glitch and y is a secret input, then by analyzing the power consumption of the above gate we can easily deduce y. Indeed, assuming that an AND or XOR gate uses an abnormal power scheme proportional to the number of glitch on their result, the number of gates using an abnormal power scheme depends on y. So, we assume that glitch(x) = 1 and glitch({a, b, c, y}) = 0. We have so glitch( x) = 1 glitch( x ỹ) = ỹ = b ȳ glitch(ỹ) = 0 glitch((c (a b) (a ỹ)) (b x)) = b glitch(b x) = b b + ỹ with Assumption (1) glitch(z) = b ỹ with Assumption () ȳ with Assumption (3) b + ỹ with Assumption (1) Σpower = ( b + ỹ)p AND + b + b ỹ with Assumption () b.p XOR + ȳ with Assumption (3) If ȳ = 0, we have ỹ = b so 3 b with Assumption (1) Σpower = bp AND + b with Assumption () b.p XOR with Assumption (3) For ȳ = 1, this is Σpower = p AND + (1 + b).p XOR for Assumptions (1,,3). So, 0 with Assumption (1) 1 E(Σpower ȳ = 1) E(Σpower ȳ = 0) = with Assumption ().p XOR 1 with Assumption (3) It is explicitly said in [8, p. 97] that The power consumption caused by the glitch is related to the number of gates that see the glitch. It is clear [...] that the energy consumption depends on the values of [b and ỹ]. Since the mean power consumption is different for y = 0 and y = 1, the power consumption leaks information on the value y. The computation done in [8] to analyze the leakage was based on Assumption (1) as we can easily check from [8, Table 1]. So, we contradict this claim for Assumption (1): E(Σpower) is independent from ȳ in this case. However, it is true that E(Σpower) leaks ȳ for Assumption () and Assumption (3). For this implementation, the choice of the glitch algebra gives different conclusions. Similarly, in attacks based on probing z, we can see that E(glitch(z)) = 1 which is independent from ȳ in Assumption (1). For Assumption (), we have 6

7 E(glitch(z)) = 1 which is also independent from ȳ. For Assumption (3), we have glitch(z) = ȳ. In the latter case, we can see that E(glitch(z)) leaks ȳ so noisy samples for glitch(z) leak ȳ using the amplification technique of Eq. (4). This made [7] propose a threshold implementation of an AND gate using n = 3 or n = 4 shares, the above example being an example using n = shares. They prove that, contrarily to this example, probing a single gate in the computation leaks no information on any of the input x and y, on average. They deduce that their implementations resist to the above attacks based on glitches. We will show the limitations of this result with effective attacks. 4 Implementation with n = 3 Assuming that (x 1, x, x 3 ) shares x, (y 1, y, y 3 ) shares y, and (z 1, z, z 3 ) shares z, Nikova, Rechberger, and Rijmen [7] propose z 1 = (x y ) ((x y 3 ) (x 3 y )) z = (x 3 y 3 ) ((x 1 y 3 ) (x 3 y 1 )) z 3 = (x 1 y 1 ) ((x 1 y ) (x y 1 )) This construction satisfies the conditions from Nikova et al. [7]. We quote [7]: Theorem 3. [...] the mean power consumption of a circuit implementing realization [above] is independent of [ x, ȳ], even in the presence of glitches or the delayed arrival of some inputs. Although we do not contradict the independence of the mean with the input values, we show that a probing attack can leak ȳ easily. We further show that a cascade of this construction also leaks with the mean of power consumption. In the attacks, we will assume that none of the y i variables have a glitch, and that they are independent from the glitches in the x i variables. With Assumption (1), we have glitch(x i y j ) = glitch(x i )ȳ j glitch((x i y j ) (x j y i )) = glitch(x i )ȳ j + glitch(x j )ȳ i glitch(z 1 ) = glitch(x )(ȳ + ȳ 3 ) + glitch(x 3 )ȳ glitch(z ) = glitch(x 3 )(ȳ 3 + ȳ 1 ) + glitch(x 1 )ȳ 3 glitch(z 3 ) = glitch(x 1 )(ȳ 1 + ȳ ) + glitch(x )ȳ 1 so Σpower = i,j glitch(x i )ȳ j p AND + i glitch(x i )(ȳ 1 + ȳ + ȳ 3 ȳ i )p XOR In the glitch value of each gate, we can see that at least one variable ȳ i is not present (indeed, the construction was made for that). Since the ȳ i are uniformly distributed conditioned to ȳ = ȳ 1 ȳ ȳ 3, no matter the value of ȳ, the two 7

8 present ȳ i variables are uniformly distributed. So, the distribution of any glitch value is independent from ȳ. Consequently, it is the case for their mean value. Since Σpower is a linear combination of these values, due to the linearity of the mean operator, this is also the case for Σpower. With Assumption (), by writing max(ȳ i, ȳ j ) = ȳ i ȳ j, we have glitch(x i y j ) = glitch(x i )ȳ j glitch((x i y j ) (x j y i )) = max(glitch(x i )ȳ j, glitch(x j )ȳ i ) glitch(z 1 ) = max(glitch(x )(ȳ ȳ 3 ), glitch(x 3 )ȳ ) glitch(z ) = max(glitch(x 3 )(ȳ 3 ȳ 1 ), glitch(x 1 )ȳ 3 ) glitch(z 3 ) = max(glitch(x 1 )(ȳ 1 ȳ ), glitch(x )ȳ 1 ) Like above, the mean value of any of these expression is independent from ȳ. With Assumption (3), we have so glitch(x i y j ) = glitch(x i )ȳ j glitch((x i y j ) (x j y i )) = glitch(x i )ȳ j glitch(x j )ȳ i glitch(z 1 ) = glitch(x )(ȳ ȳ 3 ) glitch(x 3 )ȳ glitch(z ) = glitch(x 3 )(ȳ 3 ȳ 1 ) glitch(x 1 )ȳ 3 glitch(z 3 ) = glitch(x 1 )(ȳ 1 ȳ ) glitch(x )ȳ 1 Σpower = ( glitch(x i )ȳ j p AND + glitch(x i )((ȳ i ȳ i+1 ) + ȳ i 1 ) i,j i ) glitch(x i )glitch(x i+1 )((ȳ i ȳ i+1 )ȳ i ) i p XOR Like above, the mean value of any of these expression is independent from ȳ. 4.1 Power Analysis not Based on the Mean Value (All Assumptions) We have already seen that no glitch value has a distribution which depends on ȳ. So let us focus on the distribution of Σpower. With glitch(x 1 ) = 1 and glitch(x ) = glitch(x 3 ) = 0, we obtain with Assumption (1) that Σpower = (ȳ 1 + ȳ + ȳ 3 )(p AND + p XOR ) ȳ 1 p XOR With Assumption (), our previous computations simplify to { 0 if i 1 glitch(x i y j ) = ȳ j if i = 1 glitch((x y 3 ) (x 3 y )) = 0 glitch(z 1 ) = 0 glitch((x 3 y 1 ) (x 1 y 3 )) = ȳ 3 glitch(z ) = ȳ 3 glitch((x 1 y ) (x y 1 )) = ȳ glitch(z 3 ) = ȳ 1 ȳ 8

9 so Σpower = (ȳ 1 + ȳ + ȳ 3 )p AND + ((ȳ 1 ȳ ) + ȳ + ȳ 3 )p XOR With Assumption (3), we have the same results except glitch(z 3 ) = ȳ 1 ȳ. So Σpower = (ȳ 1 + ȳ + ȳ 3 )p AND + ((ȳ 1 ȳ ) + ȳ + ȳ 3 )p XOR We count the number of gates with a glitched output following the two assumptions. We also indicate Σpower assuming that p AND = 1 and p XOR = 4. 1 The results are on Table 1. Table 1. Distributions for a glitch in x 1 in the threshold implementation Assumption (1) Assumption () Assumption (3) ȳ ȳ 1 ȳ ȳ 3 #AND #XOR Σpower #AND #XOR Σpower #AND #XOR Σpower mean variance mean variance stat. dist Clearly, the distributions of Σpower ȳ = 0 and Σpower ȳ = 1 are very different. For instance, the parity of #AND is always equal to ȳ. The supports of the distributions #XOR ȳ = 0 and #XOR ȳ = 1 are disjoint with Assumption (1). So, we can distinguish them with one sample with advantage 1. With Assumption () or Assumption (3), the statistical distance of the distributions #XOR ȳ = 0 and #XOR ȳ = 1 is 1. So, a trivial statistic with a couple of samples would recover ȳ assuming no noise. We consider several types of distinguishers base on measuring #XOR. As the impact of the glitched XORs on Σpower is bigger, we can assume we measure it this way. We could also consider other side channel attacks which can separate the XORs from and ANDs. 1 We took p XOR = 4p AND as an example, which justifies by assuming that we use 4 NAND gates to make a XOR gate. But this must only be taken as an example. Note that an AND requires two NAND gates but the second one which is used as a NOT gate can often cancel with subsequent gates. 9

10 Best distinguisher. With Assumption (1) and #XOR, the best distinguisher returns 0 if #XOR {0, 3, 4} and it returns 1 if #XOR {1,, 5}. A statistical distance of 1 means that we can guess ȳ with an error probability 0. A statistical distance of 0.5 means that we can guess ȳ with an error probability 1 4. In practice, measuring #XOR may give a noisy value making it hard to implement this distinguisher. I.e., 0 and 1 may be too close to be distinguishable, as well as and 3, and 4 and 5. Threshold distinguisher. We consider the distinguisher giving 1 #XOR+noise τ, i.e. 1 if #XOR (rather its noisy value from a side channel) is below a given threshold τ. Assuming that noise follows an independent normal distribution with mean 0 (w.l.o.g. by adjusting τ) and variance σ V (#XOR), we have ( ) Pr[noise x] = 1 erfc x σ V (#XOR) so the Type I error in guessing ȳ is ( ) α = 1 i τ erfc Pr[#XOR = i ȳ = 0] σ V (#XOR) i The Type II error is ( ) β = 1 1 i τ erfc Pr[#XOR = i ȳ = 1] σ V (#XOR) i For Assumption (1), we have V (#XOR) = 9 4 and ( ) α = 1 5 i τ erfc Pr[#XOR = i ȳ = 0] i=0 ( ( ) ( ) ( )) = 1 τ 3 τ 4 τ erfc + erfc + erfc 8 For τ =.5, using erfc( x) = erfc(x), we obtain ( ( ) ( ) ( α = erfc + erfc + erfc 8 Similarly, we have β = α. So, we have P e = α = β and ( ( ) ( ) ( P e = erfc + erfc + erfc 8 )) 1.5 )) 0.5 = 1 Ω(σ 3 ) As σ goes from 0 to infinity, P e grows from 1 4 to 1. For instance, for σ = 1, we have P e 38%. For σ = 1, we have P e 46%. For σ =, we have P e 49.35%. 10

11 So, even with a big noise, we can recover ȳ with an interesting advantage with only one sample. Of course, we can amplify this advantage by using several samples. Since we have α = β = P e, by using (4) we obtain a new error probability of P e = e 13% with N = ( 1 P e) = O(σ 6 ). We obtain the following table: σ: N: So, measuring the number of XORs (a number between 0 and 5) with a big noise of standard deviation twice what we want to measure still allows to deduce ȳ with less than samples with Assumption (1). Moment distinguisher. Instead of computing the average of Σpower, we compute the moment E((Σpower) d ) of order d, just like in Moradi [6,10]. With Assumption (1), we have E(Σpower y = 0) = E(Σpower y = 1) = 3 p AND + 5 p XOR V (Σpower y = 0) = V (Σpower y = 1) = 3 4 p AND + 5 p ANDp XOR p XOR but the moments of order d = 3 differ. So (Σpower) 3 leaks ȳ. With Assumption (), we have E(Σpower y = 0) = E(Σpower y = 1) = 3 p AND p XOR V (Σpower y = 0) = 3 4 p AND p ANDp XOR p XOR V (Σpower y = 1) = 3 4 p AND p ANDp XOR p XOR V (Σpower y = 0) V (Σpower y = 1) = 1 p ANDp XOR + p XOR With Assumption (3), we have V (Σpower y = 0) = 3 4 p AND + p AND p XOR + 5 p XOR V (Σpower y = 1) = 3 4 p AND + 1 p ANDp XOR + 1 p XOR V (Σpower y = 0) V (Σpower y = 1) = 3 p ANDp XOR + p XOR Clearly, the mean of (Σpower) (i.e., d = ) leaks ȳ with Assumption () and Assumption (3). For Assumption (1), the same holds with (Σpower) 3. If E(Σpower) is known and we measure Z = S + noise with S = Σpower E(Σpower) and a centered Gaussian noise of variance σ V (Σpower), we can compute Z = S + noise with noise = Snoise + noise σ V (Σpower). So, 11

12 it is as if we measured S with noise noise. The variance of noise is roughly 4σ V (S ), so the attack works as if we just doubled σ. For instance, our previous computation shows that by doubling σ we roughly multiply N by 50. With this approach, threshold implementation penalizes the precision of the measurement. 4. Probing Attack with Two Probes Based on the Mean Value (All Assumptions) We can further see what probing can yield. With Assumption (1,3), we have glitch(z ) = ȳ 3 and glitch(z 3 ) = ȳ 1 ȳ. So, probing both z and z 3 is enough to recover ȳ. With Assumption (), this leaks (ȳ 3, ȳ 1 ȳ ). For ȳ = 0, the distribution of this couple is Pr[(0, 0)] = 1 4, Pr[(0, 1)] = 1 4, Pr[(1, 1)] = 1. For ȳ = 1, the distribution of this couple is Pr[(0, 1)] = 1, Pr[(1, 0)] = 1 4, Pr[(1, 1)] = 1 4. So, the statistical distance is 1 and the probability of error for guessing ȳ is 1 4. As an example, with Assumption (1) we compute S = glitch(z )+glitch(z 3 ) glitch(z )glitch(z 3 ). Assuming that both glitch(z ) and glitch(z 3 ) are subject to some noise with same parameter σ, the value we obtain for S is similar to a noisy value with the parameter σ multiplied by a constant factor less than 3. In our table, this results in a complexity N multiplied by a factor 300. We recall that [7] claims no security when probing two values. 4.3 Power Analysis and Probing Attack on Two ANDs Based on the Mean Value (Assumption () or (3)) We use two consecutive threshold AND gates to compute the AND between z and another shared bit u to obtain v = x y u. We assume no glitch on the y and u variables. We assume that only x 1 has a glitch. We have z 1 = (x y ) ((x y 3 ) (x 3 y )) v 1 = (z u ) ((z u 3 ) (z 3 u )) z = (x 3 y 3 ) ((x 1 y 3 ) (x 3 y 1 )) v = (z 3 u 3 ) ((z 1 u 3 ) (z 3 u 1 )) z 3 = (x 1 y 1 ) ((x 1 y ) (x y 1 )) v 3 = (z 1 u 1 ) ((z 1 u ) (z u 1 )) With Assumption (1), the linearity of the equations make sure that the expected value of the glitch variables are independent from ȳ. Now, under Assumption (), we have glitch(z 1 ) = 0 glitch(v 1 ) = max(glitch(z )(ū ū 3 ), glitch(z 3 )ū ) glitch(z ) = ȳ 3 = max(ȳ 3 (ū ū 3 ), (ȳ 1 ȳ )ū ) glitch(z 3 ) = ȳ 1 ȳ so we can now try to probe v 1. We have the 3 following cases: ū = ū 3 = 0 (probability 1 4 ): we have v 1 = 0, no glitch and nothing leaks. ū = 0 and ū 3 = 1 (probability 1 4 ): v 1 has a glitch if and only if ȳ 3 = 1. ū = 1 (probability 1 ): v 1 has a glitch when ȳ 1 ȳ ȳ 3 = 1. For ȳ = 1, there is always a glitch. For ȳ = 0, there is a glitch with probability

13 So, if ȳ = 0, we observe a glitch in v 1 with probability = 1. If ȳ = 1, the probability becomes = 5 8. Hence, the mean 7 value reveals ȳ. A single sample gives an error probability of 17. Now, under Assumption (3), we have glitch(z 1 ) = 0 glitch(z 3 ) = ȳ 1 ȳ glitch(z ) = ȳ 3 glitch(v 1 ) = ȳ 3 (ū ū 3 ) (ȳ 1 ȳ )ū so we can try to probe v 1 again. With probability 1 4, we have ū ū 3 = ū = 1 so glitch(v 1 ) = ȳ. Otherwise, glitch(v 1 ) is uniformly distributed. So, for ȳ = 0, E(glitch(v 1 )) = 3 8 and for ȳ = 1, E(glitch(v 1)) = 5 8. Again, ȳ leaks from the mean value. A single sample gives an error probability of 3 8. The attack with noisy values is hardly more complicated than for n = 1. Note that [7] does not claim any security on the composition of two AND gates. But this attacks clearly shows the limitation of this approach. 5 Implementation with n = 4 Assuming that (x 1, x, x 3, x 4 ) shares x, (y 1, y, y 3, y 4 ) shares y, and (z 1, z, z 3, z 4 ) shares z, Nikova, Rechberger, and Rijmen [7] propose z 1 = ((x 3 x 4 ) (y y 3 )) y y 3 y 4 x x 3 x 4 z = ((x 1 x 3 ) (y 1 y 4 )) y 1 y 3 y 4 x 1 x 3 x 4 z 3 = ((x x 4 ) (y 1 y 4 )) y x z 4 = ((x 1 x ) (y y 3 )) y 1 x 1 It was proposed as an improvement to the n = 3 scheme as it makes all z i shares balanced. This property is called uniformity in [8]. It was used to address composition. So, we look again at the composition of two AND circuits. Again, we assume glitch(x 1 ) = 1, glitch(x ) = glitch(x 3 ) = glitch(x 4 ) = glitch(y i ) = 0 for i = 1,..., 4 and glitch(x 1 ) = 1. So, glitch(z 1 ) = 0, glitch(z ) = (ȳ 1 ȳ 4 ) + 1, glitch(z 3 ) = 0, and glitch(z 4 ) = (ȳ ȳ 3 ) + 1 with Assumption (1). We compute v = z u = (x y) u using the threshold implementation with So, we have v 1 = ((z 3 z 4 ) (u u 3 )) u u 3 u 4 z z 3 z 4 v = ((z 1 z 3 ) (u 1 u 4 )) u 1 u 3 u 4 z 1 z 3 z 4 v 3 = ((z z 4 ) (u 1 u 4 )) u z v 4 = ((z 1 z ) (u u 3 )) u 1 z 1 glitch(v 1 ) = (ȳ ȳ 3 + 1)(ū ū 3 ) + (ȳ 1 ȳ 4 ) + (ȳ ȳ 3 ) + glitch(v ) = ȳ ȳ glitch(v 3 ) = ((ȳ 1 ȳ 4 ) + (ȳ ȳ 3 ) + )(ū 1 ū 4 ) + ȳ 1 ȳ glitch(v 4 ) = ((ȳ 1 ȳ 4 ) + 1)(ū ū 3 ) 13

14 Hence, we can just probe v 1 and see if it has a glitch. With probability 1, we have ū = ū 3 so glitch(v 1 ) = (ȳ ȳ 3 ) + (ȳ 1 ȳ 4 ) + 3. In other cases, we have glitch(v 1 ) = (ȳ 1 ȳ 4 ) + (ȳ ȳ 3 ) + which is uniformly distributed. So, by repeating enough times, the majority of glitch(v 1 ) is ȳ with high probability. The attack with noisy values is hardly more complicated than for n = 1. Computations with Assumptions () or (3) are similar. Note that [7] does not claim any security on the composition of two AND gates. However, the n = 4 implementation was made to produce a balanced sharing of the output to address composability through pipelining, meaning by adding a layer of registers between the circuits we want to compose. Here, we consider the composition of two AND gates without pipelining. Indeed, we certainly do not want to add registers in between two single gates! But our attacks shows that the entire layer of circuit that we want to compose through pipelining must be analyzed as a whole, since single gates clearly do not compose well. 6 Higher-Order Threshold Implementation with n = 5 In [1], Bilgin et al. propose an example of higher-order threshold implementation. Equation (1) in [1] implements ȳ = 1 ā b c. To obtain the implementation of an AND gate, we just remove the 1 and the a terms and obtain y 1 = (b c ) (b 1 c ) (b c 1 ) y 6 = (b c 4 ) (b 4 c ) y = (b 3 c 3 ) (b 1 c 3 ) (b 3 c 1 ) y 7 = (b 5 c 5 ) (b c 5 ) (b 5 c ) y 3 = (b 4 c 4 ) (b 1 c 4 ) (b 4 c 1 ) y 8 = (b 3 c 4 ) (b 4 c 3 ) y 4 = (b 1 c 1 ) (b 1 c 5 ) (b 5 c 1 ) y 9 = (b 3 c 5 ) (b 5 c 3 ) y 5 = (b c 3 ) (b 3 c ) y 10 = (b 4 c 5 ) (b 5 c 4 ) Then, Equation () in [1] decreases the number of shares to 5 by z 1 = (b c ) (b 1 c ) (b c 1 ) z 5 = (b c 3 ) (b 3 c ) (b c 4 ) z = (b 3 c 3 ) (b 1 c 3 ) (b 3 c 1 ) = (b 4 c ) (b 5 c 5 ) (b c 5 ) z 3 = (b 4 c 4 ) (b 1 c 4 ) (b 4 c 1 ) = (b 5 c ) (b 3 c 4 ) (b 4 c 3 ) z 4 = (b 1 c 1 ) (b 1 c 5 ) (b 5 c 1 ) (b 3 c 5 ) (b 5 c 3 ) (b 4 c 5 ) (b 5 c 4 ) This nd order implementation is supposed to resist to probing attacks with two probes. Normally, the transform of (y 1,..., y 10 ) to (z 1,..., z 5 ) by z i = y i for i < 5 and z 5 = y 5 y 10 must be done with intermediate registers to avoid the propagation of glitches. We wonder what happens without these registers. Let consider an attack probing z 4 and z 5. If there is a glitch in b 5 and no other input share, we have glitch(z 4 ) = c 1 and glitch(z 5 ) = glitch((b 5 c ) (b 5 c 3 ) (b 5 c 4 ) (b 5 c 5 )) With Assumption (1), this is glitch(z 5 ) = c + c 3 + c 4 + c 5. With Assumption (), this is glitch(z 5 ) = max( c, c 3, c 4, c 5 ). With Assumption (3), this is glitch(z 5 ) = 14

15 Table. Distribution of (glitch(z 4), glitch(z 5)) for a glitch in b 5 in the nd order threshold implementation c c 1 c c 3 c 4 c 5 A. (1) A. () A. (3) (0, 0) (0, 0) (0, 0) (0, ) (0, 1) (0, 0) (0, ) (0, 1) (0, 0) (0, ) (0, 1) (0, 0) (0, ) (0, 1) (0, 0) (0, ) (0, 1) (0, 0) (0, ) (0, 1) (0, 0) (0, 4) (0, 1) (0, 0) (1, 1) (1, 1) (1, 1) (1, 1) (1, 1) (1, 1) (1, 1) (1, 1) (1, 1) (1, 1) (1, 1) (1, 1) (1, 3) (1, 1) (1, 1) (1, 3) (1, 1) (1, 1) (1, 3) (1, 1) (1, 1) (1, 3) (1, 1) (1, 1) mean variance ( 1, ) ( 1, ( 1, 1) ( 1, c c 1 c c 3 c 4 c 5 A. (1) A. () A. (3) (0, 1) (0, 1) (0, 1) (0, 1) (0, 1) (0, 1) (0, 1) (0, 1) (0, 1) (0, 1) (0, 1) (0, 1) (0, 3) (0, 1) (0, 1) (0, 3) (0, 1) (0, 1) (0, 3) (0, 1) (0, 1) (0, 3) (0, 1) (0, 1) (1, 0) (1, 0) (1, 0) (1, ) (1, 1) (1, 0) (1, ) (1, 1) (1, 0) (1, ) (1, 1) (1, 0) (1, ) (1, 1) (1, 0) (1, ) (1, 1) (1, 0) (1, ) (1, 1) (1, 0) (1, 4) (1, 1) (1, 0) mean variance ( 1, ) ( 1, ( 1, 1) ( 1, c c 3 c 4 c 5. So, we obtain the distributions for (glitch(z 4 ), glitch(z 5 )) which is on Table. As we can see, the mean and the variance do not leak (as intended). However, the distributions are quite far apart. Indeed, for Assumption (3), we have c = glitch(z 4 ) glitch(z 5 ) so it is clear that c leaks. For Assumption (1), we have c = glitch(z 4 ) (glitch(z 5 ) mod ) so it is clear that c leaks as well. For Assumption (), the distributions are distribution (0, 0) (0, 1) (1, 0) (1, 1) (glitch(z 4 ), glitch(z 5 )) c = 0 1/16 7/16 0/16 8/16 (glitch(z 4 ), glitch(z 5 )) c = 1 0/16 8/16 1/16 7/16 so the statistical distance is 1 8. This means that from a single value we can deduce c with an error probability of P e = Of course, this amplifies like in (4) using more samples. Hence, two probes leak quite a lot. So, we clearly see that avoiding the extra registers needed to avoid the number of shares to inflate makes the implementation from [1] insecure. 7 Conclusion We have shown that the threshold implementations are quite weak against many simple attacks: distinguishers based on non-linear functions on the power traces (as simple as a threshold function or a power function), multiple probes, and 15

16 linear distinguishers for a cascade of circuits. Although they do not contradict the results by their authors, these attacks show severe limitations on this approach. We have seen that compared to the attack on the AND gate with no protection, the threshold implementation proposals only have the effect to amplify the noise of the side-channel attack by a constant factor. Therefore, we believe that there is no satisfactory protection for attacks based on glitches. References 1. B. Bilgin, B. Gierlichs, S. Nikova, V. Nikov, V. Rijmen. Higher-Order Threshold Implementations. In Advances in Cryptology ASIACRYPT 14, Kaohsiung, Taiwan, Lecture Notes in Computer Science , pp vol., Springer-Verlag, S. Chari, C.S. Jutla, J.R. Rao, P Rohatgi. Towards Sound Approaches to Counteract Power-Analysis Attacks. In Advances in Cryptology CRYPTO 99, Santa Barbara, California, U.S.A., Lecture Notes in Computer Science 1666, pp , Springer-Verlag, H. Chernoff. A Measure of Asymptotic Efficiency for Tests of a Hypothesis Based on the sum of Observations. Annals of Mathematical Statistics, vol. 3 (4), pp , A. Duc, S. Dziembowski, S. Faust. Unifying Leakage Models: From Probing Attacks to Noisy Leakage. In Advances in Cryptology EUROCRYPT 14, Copenhaguen, Denmark, Lecture Notes in Computer Science 8441, pp , Springer-Verlag, S. Mangard, T. Popp, B.M. Gammel. Side-Channel Leakage of Masked CMOS Gates. In Topics in Cryptology CT-RSA 05, San Francisco CA, USA, Lecture Notes in Computer Science 3376, pp , Springer-Verlag, A. Moradi. Statistical Tools Flavor Side-Channel Collision Attacks. In Advances in Cryptology EUROCRYPT 1, Cambridge, UK, Lecture Notes in Computer Science 737, pp , Springer-Verlag, S. Nikova, C. Rechberger, V. Rijmen. Threshold Implementations Against Side- Channel Attacks and Glitches. In Information and Communication Security ICICS 06, Raleigh NC, USA, Lecture Notes in Computer Science 4307, pp , Springer-Verlag, S. Nikova, V. Rijmen, M. Schläffer. Secure Hardware Implementation of Nonlinear Functions in the Presence of Glitches. Journal of Cryptology, vol. 4, pp. 9 31, Oscar Reparaz and Begl Bilgin and Svetla Nikova and Benedikt Gierlichs and Ingrid Verbauwhede. Consolidating Masking Schemes. In Advances in Cryptology CRYPTO 15, Santa Barbara, California, U.S.A., Lecture Notes in Computer Science , pp , Springer-Verlag, F.-X. Standaert, N. Veyrat-Charvillon, E. Oswald, B. Gierlichs, M. Medwed, M. Kasper, S. Mangard The World Is Not Enough: Another Look on Second- Order DPA. In Advances in Cryptology ASIACRYPT 10, Singapore, Lecture Notes in Computer Science 6477, pp , Springer-Verlag, E. Trichina, T. Korkishko, K.H. Lee. Small Size, Low Power, Side Channel-Immune AES Coprocessor: Design and Synthesis Results. In Advanced Encryption Standard AES 04, Bonn, Germany, Lecture Notes in Computer Science 3373, pp , Springer-Verlag,